Tuesday, 30 July 2013

The firewall rules in Centos, commonly known as IPTables, are based on the use of IP addresses, protocols and ports and gives you the abilty to manage all connection activity in and out of your server. Rules are based on chains (INPUT, OUTPUT and FORWARD) and you maintain the abilty to ACCEPT, DROP, or REJECT activity based on your criteria. IPTables are the bedrock of the servers security so here we will look at replacing the pre-installed rule set to build your own.

First log in as root and remove all the current rules

# iptables --flush

Now as a temporary measure to ensure that we will have no issues when trying to connect to the server, we then determine that the server can accept all incoming connections

Now we add a simple rule that enables unlimited traffic on the loopback (127.0.0.1) to provide access from the localhost

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

Next we can add an optional rule that allows a static IP address if using one

iptables -A INPUT -i lo -s 192.168.0.100 -d 192.168.0.100 -j ACCEPT

Now we enable both ICMP and STATE. ICMP is associated with diagnostics such as ping trace or route and network control and discovery, while STATE enables IPTables to remember the status of any connection in conjunction with the protocols using the source and destination IP address.

Monday, 29 July 2013

Changing Port NoChanging the port number used by ssh from the default 22 can help increase the security of the ssh server.

To do this open up the config file

# vi /etc/ssh/sshd_config

Scroll down to the part which reads

#Port 22

Uncomment the line and change the value to your preferred one, making sure that the port number is not already in use.Then restart the server

# service sshd restart Limiting SSH access by user or group

All valid users on the system are allowed to log in and enjoy the benefit of SSH but a more secure policy is to allow only a predetermined list of users or groups to log in.To do this, log in as root and open the SSH configuration file# vi /etc/ssh/sshd_configScroll down and locate the line which startsAllowUsersAnd append to it the users you wish to allow, as exampleAllowUsers anton james georgeYou can also use the same method to allow members of a valid administration group to log in.AllowGroupsOr you can add admin to the where this is a valid userAllowUsers adminWhen done restart the server with$ sudo service sshd restartSee also SSH Harden shell and Install OpenSSH

The secure shell (SSH) is the basic toolkit that provides remote access to your server to perform maintenance, upgrades, install packages, transfer files, or facilitate whatever action you need to carry out as the administrator in a secure environment.

With a few rudimentary configuration changes you can deny root access, add a welcome banner, and protect your server from unwanted guests. Here we use the OpenSSH version.

Once installed first back up the config file after logging in as root.

# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Open up the sshd configuration file for editing# sudo vi /etc/ssh/sshd_config

First adjust the time allowed to log in, scroll down to the line#LoginGraceTime 2mChange the line toLoginGraceTime 60A few lines further down to the line that reads#PermitRootLogin yesChange it toPermitRootLogin noNext find the following two lines#X11Forwarding noX11Forwarding yesAnd change them toX11Forwarding no#X11Forwarding yesUncomment the following linesPrintMotd yesPrintLastLog yesNow save and close the sshd_config file before opening the following to create the welcome banner.# vi /etc/motdAdd the banner to the file, an example could beThis computer system is for authorized users only. All activityis logged and regularly checked. Individuals using this systemwithout authority or in excess of their authority are subject tohaving all their services revoked...Save and close the file and restart the sshd daemon# service sshd restartYou can open up a new ssh session you make sure everything is running fine before closing the first session with# exit

You should now find that root access to the shell is denied and you must log in using a standard user account. The next session should open up with the new login banner.

Keep sessions aliveYou can set the idle timeout on the server by making adjustments in the config file.# vi /etc/ssh/sshd_confScroll down and find the linesClientAliveInterval 60ClientAliveCountMax 5The first line instructs the server to wait 60 seconds after the last input before it sends a packet which requires a response.

The second line sets the number of missed or no response intervals to 5 before it assumes the connection has been dropped.

Set these to your preferred values.

Now find and uncomment the following line

TCPKeepAlive yes

This will tell the SSH server to issue TCPKeepAlive packets to discover if the connection is still valid. Consequently, even if your session times out, this feature will terminate thecurrent session and prevent it from hanging and becoming a zombie.

Sunday, 28 July 2013

You can create an administrative user and provide them with access to the su or switch user command that enables them to change the ownership of a login session in order to become root or any other user.

Managing a server as the root user is probably not the best way to work as you are leaving yourself open to a whole host of issues that can give rise to a multitude of errors.

Using of the root user account should be left until it is required, so here we configure a day-to-day administrative user who can switch to using root with the su command.

To start with, log in as root and create your new user, in this case anton

# useradd anton# passwd antonUse alphanumeric between 6 - 16 characters long.Now add the user to the wheel group# usermod -a -G wheel antonNow we activate the wheel module in PAM The PAM or the Pluggable Authentication Module provides a global method of authenticating users across the system as a whole without any individual program being required to know which authentication system will be use.# vi /etc/pam.d/su

Vi an Vim commands Scroll down and uncomment the following lineauth required pam_wheel.so use_uid

Save and exit the file.Now you have activated the su command for the user and it can become root user by issuing the su command

IPv6 was introduced to solve the problems of IPv4 but it is often not used and not all hardware supports it. If you find it necessary to disable IPv6 for any reason you may also find that this also speeds up networking and reduces administrative overhead with improved security levels.

IPv6 is a major component found within the Centos operating system and by following this guide you can completely disable IPv6 on the system. For those networks that do not support this feature disabling IPv6 can be a good option in order to tighten system security and increase the overall performance of the system.

It is not advised to use this method if you are intending to use any IPv6 dependent features such as Bonding, Postfix, SELinux and similar packages.

To begin, log in as root and disable IPv6 by typing

# echo "install ipv6 /bin/true" > /etc/modprobe.d/disable-ipv6.conf

This ensures that whenever the system needs to load the IPv6 module, it is forced to execute the true command instead of actually loading the module; and as /bin/true does and means nothing, the module will not load.

Now disable the ipv6 tables

# chkconfig ip6tables off

Then we disable any calls to IPv6 in it's various locations. To do this open the network configuration file.

# vi /etc/sysconfig/network

Scroll down and add or amend the following line to read

NETWORKING_ipV6=no

To complete the process we modify the configuration file for each Ethernet device to show the following values as an example

The hosts file consists of a list of IP addresses and corresponding hostnames and if your network contains computers whose IP addresses are not listed in an existing DNS record, in order to speed up the network it is recommended that you add them to the hosts file.

To do this on Centos just open up the hosts file and add the following values

This method provides you with the chance to create mappings between domain names and IP addresses without the need to use a DNS and can be applied to any workstation or server.The list is not restricted by size and and you can even employ this method to block access to certain websites by simply repointing all requests to visit a known website to a different IP address. For example, if the real address of www.website.com is 192.168.1.200 and you want to restrict access to it, then simply make the following changes to the hosts file of the viewing computer

192.168.1.201 www.website.com

This isn't completely failsafe but anyone trying to access www.website.com will automatically be sent to 192.168.1.201 instead of 191.168.1.200

Although the hostname is typically set at installation time, there are occasions when you may need to change it for technical reasons or otherwise.

Here we look at changing the hostname and resolving the fully qualified domain name.

First open up the network script in a text editor

$ sudo /etc/sysconfig/network

Change the hostname value to your preferred name and then save and exit the file, if you want to rename the server to centosbox it will appear as

NETWORKING=yesHOSTNAME=centosbox

Avoid capitals and irregular characters when naming the host, use only apha-numeric characters under 63 characters in length.

Now confirm the settings for the server in order to complete the Fully Qualified Domain Name or FQDN. An FQDM consists of a hostname and the DNS-based domain name, so in order to do this we will need to open and edit the hosts file

Replace the values of the second line with something more appropriate, so if the server is called centosbox with an IP address of 192.168.0.100 and a domain name of centosbox.com then the final file will look like below.

If the server is on a local network, it is advisable to use a non-Internet based address. For example, you could use .local or .lan or .home.By using these references you will avoid any confusion with the typical .com, .co.uk or .net domain names.

When done, save the file and reboot the server to allow the changes to take effect immediately.

$ reboot

Om rebooting, you can now check your new hostname by typing the following command and waiting for the response

$ hostname

To confirm the hostname type the following command and wait for the response

$ hostname -f

Or, as an alternative to the preceding method, to confirm the Fully Qualified Domain Name (FQDN), you can type the following command and wait for the response

$ hostname -fqdn

So, by changing the values in the two system configuration files /etc/sysconfig/network and /etc/hosts and rebooting the server we can easily change the hostname.

The hosts file is used by Centos to map hostnames to IP addresses and is often found to be incorrect on a new, un-configured or recently installed server. For this reason we first reorganise the references shown in order to support both the relevent IPv4 and IPv6 values as well as the hostname and domain name reference. So we rewrite the file to reflect the newly assigned values.

So to conclude we can say that we have not only renamed the server, but we have also dispelled the myths associated with hostnames as opposed to hostnames.

A server is not only known by the use of the shorter single word base name, it also consists of the three values separated with a period. The domain name remains distinct from the hostname because it is determined by the resolver system, and it is only by putting them both together that the server will give the Fully Qualified Domain Name or FQDN of the system.

Friday, 19 July 2013

If you are using a standard ethernet device with a Static IP on your Cento 6/RHEL box then you can easily create additional Virtual Static IPs using the same device. These can enable you to run multiple servers and websites or create a private lan using a local IP and have the alias hold your Internet IP.To do this you must first have a Static IP set up on your system, this assumes that you are just using one installed device and that you are familiar with the Static IP range available from your router.

First log in as root and copy your existing ifcfg-eth0 to a new file named ifcfg-eth0:1

HDWADDR=XX:XX:XX:XX:XX:XXUUID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXNow all that is left to do is to assign it a Static IP address from your available pool, scroll to the IPADDR section and enter the new address.IPADDR=XXX.XXX.XXX.XXXSave the file and restart the network$ sudo service network restart

Now run ifconfig command to view the new Virtual Static IP

$ sudo ifconfig -a

Virtual Static IP Centos 6

You can use the new Virtual Static IP address in a variety of ways, in addition you can add extra ones as long as you have the addresses available from your router, just ensure that they are named in succession, ie eth0:2 eth0:3 etc.

Most users will need to use the sudo command with or without the no password option and this guide runs through setting this up. It allows a user to execute almost any command with root privileges. Centos 6 does not provide sudo access by default so it needs to be set up manually.You will need the a minimal version of Centos 6 installed with root access and a console text editor.

Vi and Vim commandsTo start, log in as root and run the visudo command in the console, which will bring up your editor and the /etc/sudoers file.

# visudo

Scroll down until you find the following line

root ALL=(ALL)ALL

and add underneath it

user_name ALL=(ALL)ALL

or

user_name ALL=(root)ALL

If you also want to use the sudo command without having to enter the root password all the time then use the NOPASSWD flag ieuser_name ALL=(root) NOPASSWD:ALL

Now scroll down to the bottom of the file and add the following line.

Defaults syslog=local1 Save the file and remove the .tmp file extension so the file is named /etc/sudoersNow we individualise the logging for any action performed when using the sudo command, open the following file# vi /etc/rsyslog.confand above the line# The authpriv file has restricted access.authpriv.* /var/log/secure

Thursday, 18 July 2013

Nginx, an acronym for 'enginex' is an HTTP and reverse proxy server, as well as a mail proxy server. It is available from the Nginx repo as well as the Epel repo, so here we will use the Nginx repo. The rpm repo pack contains the GPG key needed to authenticate the signed rpms. This guide covers the basic installation on Centos 6 with minimal edits to get up and running, it does not cover more advanced configuration.I give it priority 40 and disable epel when installing it.

These
are described in enough detail for the new or intermediate user to understand
without being overwhelmingly complex and the book is more than enough to get
even the most trepidatory user up and running with a considerable degree of fluidity.

I was surprised upon reading the first few paragraphs of
this book, as the first recipe described the downloading of Centos 6 on to a Windows
Desktop and running a MD5sum check. It struck me, however, that many users
reading the book will be considering swapping out their archaic old Windows kit
for some nice new Centos software magic, so it does in fact make perfect sense.

The book is delivered as a series of bite sized chunks, each
focusing on performing a specific task, and given the term recipes.

The opening chapter takes you through a variety of installation
methods including a graphical method, a minimal method, a text based method
and the adding of the Gnome Desktop to the installation though not my preference, the minimal Fluxbox, Thunar, Rxvt trio. A guide to re-installing the boot loader is also a welcome inclusion at this point, in the
event of corrupted boot files occurring.

The following two chapters cover configuration and working
with the installation,including guides
to Mailx, NTP, Static IPs, Cron, IPv6, SELinux and Mutt amongst others.

hardening the shell environment, IPTables, SSH & fail2ban, DenyHosts
and ClamAV, the latter will be useful to people migrating from a Windows
environment and who have become attached to their antivirus programs.

So having set up the nuts and bolts of the Linux system and secured
it, we are ready to move on to slightly more advanced topics, which commence
with the Samba file share program.

We learn quickly how to configure Samba as a standalone
server and enable home directories, hide files & folders, add delete and
disable a user, create a custom share folder and provide a network recycle bin.

Then there is Bind, the domain tool, we are taken through building
a caching-only nameserver, writing zone files and adding zones, deploying a local
server with dnsmasq, logging, wildcards and hardening with chroot.

Next up is the MySql Database, although NoSql is now heavily
used there are many applications suited to MySQL and Postgresql and the basics
of installing these are covered in this section along with Host Based
Authentication for Postgresql.

Mail services with MTA, SMTP, Postfix, Dovecot, SASL is next
with variety of setups taken a look at, including building a local POP3/SMTP
server and Using Postfix and Dovecot to serve e-mails across virtual domains.

The penultimate chapter is working with Apache (or HTTPD)
Web Server and covers

preparing httpd for a production environment, adding a
secure connection to the Apache web server by creating a self-signed SSL
certificate using OpenSSL, Hosting peers by enabling user directories on the
Apache web server and troubleshooting suexec. We also learn Configuring Apache
name-based virtual hosting, Working with publishing directories, vhosts.d,
error documents, directives, and the rewrite rule for virtual hosting.

Finally, we get to working with FTP, Building a basic FTP
service by installing and configuring VSFTP, Providing a secure connection to
VSFTP with SSL/TLS using

So a decent selection of tasks to get your teeth into, all
described in a highly readable and easily digestible manner. The Centos 6 Linux Server Cookbook delivers quick answers to common problems in anodyne fashion.